ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported”

  • Article

Want to allow ADFS to be installed correctly? Our trusty Canadian PFE Gregg O’Brien shows us a recent issue he resolved at a customer’s site and how he quickly brought balance back to the force….

Upon installing a new ADFS infrastructure or upon renewal/replacement of the certificate on an existing ADFS infrastructure, you may receive an error stating, “The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.”

ADFS Configuration Wizard Failed With CNG Private Key Error

This problem occurs because the certificate used employs newer cryptographic technology known as Cryptographic Next Generation (CNG). CNG permits the use of a suite of newer public key providers which are not compatible with ADFS.

To resolve the issue, use a certificate that does not use the CNG suite.

If you are using a Microsoft Certificate Authority to issue the certificate, you can ensure the use of the legacy API by using a certificate template that specifies a Legacy Cryptographic Service Provider. This can be achieved by selecting a V1 template such as the Web Server Certificate and duplicating it.

Duplicating Web Server Certificate Template

Then make sure that the appropriate CSP is chosen:

Selecting Specific CSP In Custom Certificate

Once you have the correct CSP and have enabled it on your Certificate Authority, you can issue the certificate to the server and then export it.

Allowing Custom Certificate Template To Be Issued

Allowing Custom Certificate Template To Be Issued

Once it’s exported you can import it into the wizard and complete the configuration.

If you have received your certificate from a public certificate authority, you will need to contact them to reissue your certificate with a legacy CSP so that the ADFS wizard can accept the certificate.

Posted by Rhoderick Milne, newbie MSPFE Editor

Comments

  • Anonymous
    January 01, 2003
    Thanks! It works perfectly!!
  • Anonymous
    January 01, 2003
    You should add this to the following TechNet Article:
    https://msdn.microsoft.com/en-us/library/azure/dn151311.aspx
    Because on this article, I can't find the requirement of a specific cryptographic provider
  • Anonymous
    December 11, 2013
    The comment has been removed
  • Anonymous
    February 14, 2014
    Thanks! This helped - the 2012 interface didn't look like some of you pictures but I figured it out.
  • Anonymous
    March 17, 2014
    The comment has been removed
  • Anonymous
    May 18, 2016
    Awesome, Thanks!!
  • Anonymous
    August 08, 2017
    The comment has been removed
    • Anonymous
      September 26, 2017
      My sentiments EXACTLY! I can't believe this error pops up on the last step and isn't documented anywhere in the prerequisite checklists. Totally absurd.